Hero Framework Cross-Site Scripting and Request Forgery Vulnerabilities

Published: 2013-01-16 08:32:15

CVSS Base Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact:
Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Affected Versions:
Hero Framework version 3.76

Technical Details:
- Input passed to the 'q' parameter in search and 'username' parameter in users/login (when 'errors' is set to 'true') is not properly sanitised before being returned to the user. - The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests.

Recommendations:
No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

Summary:
This host is installed with Hero Framework and is prone to multiple cross site scripting and CSRF vulnerabilities.

Solution Type:
Vendor will not fix

Detection Type:
remote_app

SecurityFocus Bugtraq ID:

https://www.securityfocus.com/bid/57035

References:

http://secunia.com/advisories/51668
http://www.securityfocus.com/bid/57035
http://xforce.iss.net/xforce/xfdb/80796
http://packetstormsecurity.com/files/119470
http://seclists.org/fulldisclosure/2013/Jan/62
http://www.darksecurity.de/advisories/2012/SSCHADV2012-023.txt

Search
Severity
Medium
CVSS Score
4.3

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.